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LockBit, Conti, and BlackCat Lead Pack 
Amid Rise in Active RaaS and 
Extortion Groups 


Ransomware in Q1 2022 


This data sheet pertains to the ransomware threat landscape of the first quarter of 2022. Sourced from ransomware- 
as-a-service (RaaS) and extortion groups’ leak sites, Trend Micro’s open-source intelligence (OSINT) research, and 
the Trend Micro™ Smart Protection Network™, the data presented here details the activity of ransomware in general 


and the ransomware families that dominated the landscape in particular during the period. 


Jan 2022 Feb 2022 Mar 2022 


Email threats 306,754 697,369 1,853,566 


URL threats 282,534 233,301 389,761 


File threats 195,376 253,196 228,046 


Total 784,664 1,183,866 2,471,373 


Total threats: 4,439,903 


Table 1. The numbers of ransomware threats detected and blocked by Trend Micro across email, URL, and file layers 
in each month of the first quarter of 2022 


Source: Trend Micro™ Smart Protection Network™ 


Jan 2021 Feb 2021 Mar 2021 


Email threats 482,614 453,065 367,979 


URL threats 749,403 641,479 693,569 


File threats 280,069 405,963 183,902 
Total 1,512,086 1,500,507 1,245,450 


Total threats: 4,258,043 


Table 2. The numbers of ransomware threats detected and blocked by Trend Micro across email, URL, and file layers 
in each month of the first quarter of 2021 


Source: Trend Micro Smart Protection Network 


Q1 2021 Q1 2022 


Active RaaS and extortion groups 


Victim organizations 


Table 3. The numbers of active RaaS and extortion groups and of victim organizations of successful ransomware 
attacks in the first quarter of 2021 and the first quarter of 2022 


Source: RaaS and extortion groups’ leak sites 


Industry Victim count 


Finance 


IT 


Manufacturing 


Professional services 


Construction 


Materials 


Healthcare 


Transportation 


Academe 


Automobile 


Table 4. The top 10 industries affected by successful RaaS and extortion attacks in terms of victim organizations 
in the first quarter of 2022 


Source: RaaS and extortion groups’ leak sites, and Trend Micro’s OSINT research 


Enterprise 


Consumer 


SMB 


Table 5. The numbers of ransomware file detections in machines in each business segment 
in each month of the first quarter of 2022 


Source: Trend Micro Smart Protection Network 


US 243 
UK 43 
Italy 37 
Germany 31 
Canada 24 


Country Victim count 


France 


Spain 


Brazil 


Switzerland 


Australia 


Table 6. The top 10 countries affected by successful RaaS and extortion attacks in terms of victim organizations 
in the first quarter of 2022 


Source: RaaS and extortion groups’ leak sites, and Trend Micro’s OSINT research 


Ransomware family Victim count 


LockBit 


Conti 


BlackCat 


Table 7. The top three ransomware families used in successful RaaS and extortion attacks in terms of 
victim organizations in the first quarter of 2022 


Source: RaaS and extortion groups’ leak sites 


Organization size LockBit Conti BlackCat 


Small 
(1 to 200 employees) 


Medium 
(201 to 1,000 employees) 


Large 
(more than 1,000 employees) 


Unknown 


Table 8. The distribution by organization size of LockBit, Conti, and BlackCat’s successful attacks in terms of 
victim organizations in the first quarter of 2022 


Source: LockBit, Conti, and BlackCat’s leak sites, and Trend Micro’s OSINT research 


Ransomware family Victim count 


WannaCry 


Locky 


Cerber 


GandCrab 


Ransomware family 


Maze 


Victim count 


StopCrypt 


DarkSide 


MountLocker 


Table 9. The top 10 ransomware families in terms of ransomware file detections in machines 


in the first quarter of 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


WannaCry 3,997 | WannaCry 3,886 | WannaCry 4,227 
Locky 1,121 | Locky 1,236 | Locky 1,357 
GandCrab 555 | DarkSide 604 | Cerber 543 
Cerber 513 | Cerber 454 | GandCrab 406 
Maze 378 | GandCrab 437 | StopCrypt 295 

348 | Purgen 414 290 
MountLocker 285 386 232 

243 | Maze 326 | Crysis 223 
StopCrypt 237 273 | REvil 184 
REvil 198 | MountLocker 255 | MountLocker 184 
Others 14,670 | Others 14,338 | Others 12,371 


Table 10. The top 10 ransomware families in terms of ransomware file detections in machines in each month 


of the first quarter of 2022 (notable ransomware families highlighted) 


Manufacturing 


Government 


Source: Trend Micro Smart Protection Network 


Government 


Finance 


Finance 


Finance 


Government 


Manufacturing 


Fast-moving 


consumer goods 


Table 11. The top three industries in terms of ransomware file detections in machines 
in each month of the first quarter of 2022 


Source: Trend Micro Smart Protection Network 


Manufacturing WannaCry 159 | Government WannaCry 1,072 | Government | WannaCry 1,126 
(coy 6 WannaCrypt 7 Cerber 7 

Cerber 5 Cobra 4 Cobra 6 

Finance WannaCry 88 | Finance WannaCry 82 | Finance WannaCry 101 
GandCrab 71 GandCrab 45 55 

Cerber 46 Cerber 42 GandCrab 48 

Government WannaCry 929 | Manufacturing 163 | Fast-moving | Cerber 37 
Gort 5 WannaCry 157 a * Locky 32 

Locky 4 Thanos 8 Crypwall 26 


Table 12. The top three ransomware families in terms of ransomware file detections in machines in the top affected 
industries in each month of the first quarter of 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


Enterprise 


WannaCry 


WannaCry WannaCry 


GandCrab DarkSide GandCrab 


Cerber Purgen Locky 


Locky GandCrab Cerber 


MountLocker 


Consumer Locky Locky Locky 


Cerber StopCrypt StopCrypt 


StopCrypt Cerber Cerber 


WannaCry WannaCry 


Gorf 


WannaCry 
Gorf 


WannaCry WannaCry 


WannaCry 


Maze Maze 


Locky 


Cerber 


GandCrab 


Table 13. The top five ransomware families in terms of ransomware file detections in machines in each business 
segment in each month of the first quarter of 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


O 2 9 
4 96 O IS 


Maze 261 | WannaCry 898 | WannaCry 165 | Locky 726 | WannaCry 336 


Locky 157 | GandCrab 92 | GandCrab 83 | Cerber 115 | Hermes 24 
99 | MountLocker 65 | MountLocker 55 | Gorf 39 12 

WannaCry 74 | Egregor 42 | Egregor 36 | StopCrypt 37 | Cobra 10 

GandCrab 72 | REvil 32 | REvil 35 29 | Roduk 6 
71 | Shade 30 | Shade 30 | GandCrab 28 | Snatch 


Cerber 69 | Trytocry 30 | Trytocry 27 | Crawl 25 | Cerber 


4 
3 
Clop 64 |Goni | 28 | DarkSide 27 | Maze 21 | GandCrab 3 
3 
3 


Filecoder 53 | StopCrypt 26 “Conti | 27 | Fakeglobe 17 | Gorf 


Cryptesla 49 | Sekhmet 24 | Sekhmet 20 | Nemucod 17 | Ako 


Table 14. The top 10 ransomware families in the top five countries in terms of ransomware file detections in machines 
in January 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


247 | WannaCry 974 | Locky 853 | WannaCry 114 | DarkSide 512 
Maze 196 | GandCrab 72 | Cerber 102 | Cerber 96 | WannaCry 176 
Babuk 121 71 | WannaCry 30 | Locky 78 | Cerber 5 
Locky 65 | MountLocker 66 | GandCrab 24 | Crypwall 62 | Locky 3 
Cryptesla 64 | Egregor 42 | Gorf 24 | GandCrab 54 | Polyransom 2 
WannaCry 60 | REvil 41 22 | Cryptesla 35 | StopCrypt 2 
GandCrab 50 | Shade 31 | Maze 21 | Crilock 28 | REvil 2 
Filecoder 45 | StopCrypt 31 | StopCrypt 18 | Cryptlock 23 | Winlock 1 
Cerber 45 | Trytocry 30 | Crypwall 17 | Cryphydra 23 | Cryak 1 
Clop 45 25 | Reveton 13 | Spora 23 | Shade 1 


Table 15. The top 10 ransomware families in the top five countries in terms of ransomware file detections in machines 
in February 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


Crysis 130 | Locky 921 | WannaCry 1,137 | WannaCry 167 | WannaCry 69 
Locky 93 | Cerber 129 | StopCrypt 26 | Cerber 109 43 
Maze 82 | Crawl 39 | Lokilocker 23 | Locky 74 | Encoder 28 
Cerber 62 30 | GandCrab 20 | GandCrab 67 | Roduk 26 

57 | GandCrab 29 | Gorf 19 | Crypwall 63 | Ako 18 

64 | Gorf 23 | Polar 16 | Cryptesla 34 | GandCrab 15 
Cryptlock 38 | StopCrypt 21 | Egregor 13 | Spora 30 | Cobra 14 
Lokilocker 32 | REvil 19 | Cerber 13 | Crilock 29 | MountLocker 11 
GandCrab 31 | Crypwall 17 | Wanna 13 | Crypctb 26 | Gorf 10 
WannaCry 30 | Agent 17 | MountLocker 11 | Cryptlock 26 | Crysis 9 


Table 16. The top 10 ransomware families in the top five countries in terms of ransomware file detections in machines 
in March 2022 (notable ransomware families highlighted) 


Source: Trend Micro Smart Protection Network 


LockBit 


Finance 28 
Construction 21 
Manufacturing 21 
IT 16 
Professional services 16 
Transportation 11 
Academe 10 
Hospitality 10 
Real estate 10 
Legal services 9 
Materials 8 
Foods and staples i 
Government if 
Healthcare 7 
Retail T7 
Apparel and fashion 6 
Automobile 6 
Media and entertainment 6 
Community 5 
Consumer goods and services 4 


Industry Victim count 


Energy and utilities 


Telecommunications 


Trade 


Table 17. The distribution by industry of LockBit’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: LockBit’s leak site 


Victim count 


Europe 


North America 


Asia-Pacific 


Latin America and the Caribbean 


Middle East 


Africa 


Unknown 


Table 18. The distribution by region of LockBit’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: LockBit’s leak site 


Country or region Victim count 


US 69 
Italy 22 


France 14 


UK 13 


Germany 8 


Spain 


Canada 


India 


Mexico 


Brazil 


China 


Hong Kong 


Singapore 


Belgium 
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Czech Republic 


Country or region Victim count 


Netherlands 


Switzerland 


Turkey 


Australia 


Argentina 


Denmark 


Lebanon 


New Zealand 


Poland 


Portugal 
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Thailand 


Austria 


Bahrain 


Bosnia and Herzegovina 


Botswana 


Cayman Islands 


Chile 


Colombia 


Ecuador 


Finland 


Hungary 


Isle of Man 


Kuwait 


Puerto Rico 


Qatar 


Republic of the Congo 


Romania 


Saudi Arabia 


Senegal 


South Africa 


Tanzania 


UAE 


Unknown 


Table 19. The distribution by country or region of LockBit’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: LockBit’s leak site 


Conti 


Industry Victim count 


Manufacturing 


Materials 


Professional services 


Construction 


Automobile 


Finance 


IT 


Foods and staples 


Media and entertainment 


Retail 


Transportation 


Healthcare 


Legal services 


Apparel and fashion 


Academe 


Aerospace and defense 


Energy and utilities 


Hospitality 
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Real estate 


Table 20. The distribution by industry of Conti’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: Conti’s leak site 


Victim count 


North America 


Europe 


Asia-Pacific 


Africa 


Latin America and the Caribbean 


Middle East 


Table 21. The distribution by region of Conti’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: Conti’s leak site 


Victim count 


US 


Germany 


UK 


Italy 


Canada 


Australia 


Netherlands 


Sweden 


Switzerland 


Austria 


New Zealand 


Norway 


Belgium 


Brazil 


Brunei 


Denmark 


Indonesia 


Saudi Arabia 


Serbia 


Tunisia 


Table 22. The distribution by country of Conti’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: Conti’s leak site 


BlackCat 


Professional services 


Finance 


Legal services 


Apparel and fashion 


Materials 


IT 


Construction 


Energy and utilities 


Healthcare 


Manufacturing 
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Academe 


Industry Victim count 


Automobile 


Foods and staples 


Media and entertainment 


Transportation 


Real estate 


Retail 


Trade 


Table 23. The distribution by industry of BlackCat’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: BlackCat’s leak site 


Victim count 


North America 


Europe 


Asia-Pacific 


Latin America and the Caribbean 


Middle East 


Table 24. The distribution by region of BlackCat’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: BlackCat’s leak site 


Country or region Victim count 
US 27 
Italy 4 
Australia 3 
Canada 3 
China 3 
France 3 
Hong Kong 3 
Spain 3 
Bahamas 1 
Brazil 1 
Hungary 1 
India 1 
Indonesia 1 


Country or region Victim count 


Netherlands 


Romania 


Switzerland 
UAE 
UK 


Table 25. The distribution by country or region of BlackCat’s successful attacks in terms of victim organizations 
in the first quarter of 2022 


Source: BlackCat’s leak site 
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